← Back to IBM WebSphere Traditional V9.x Security Technical Implementation Guide

V-255875

CAT II (Medium)

The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.

Rule ID

SV-255875r1193273_rule

STIG

IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-000803 CCI-001188 CCI-002418 CCI-002421 CCI-002422 CCI-002450

Discussion

Encryption is only as good as the encryption modules in use. Unapproved cryptographic module algorithms cannot be verified or be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. FIPS 140-2-approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.

Check Content

Note: If FIPS 140-3 is configured in WBSP-AS-001770, this is not applicable.

From the administrative console, click Security >> SSL certificate and key management >> Manage FIPS.

If "Enable FIPS 140-2" is not selected, this is a finding.

Fix Text

From administrative console, click Security >> SSL certificate and key management >> Manage FIPS.

Check "Enable FIPS 140-2".

Click "Save".

Synchronize with the nodes.

Restart all the JVMs.